HTTP composer dependencies

A recent update to composer added a configuration option secure-http, which is defaulted to true. As the name suggest the setting relates to https. More specifically it errors if you attempt to pull in a dependency over the http protocol. Importantly, this error is triggered by both packages AND repositories. If you are pulling all your dependencies from packagist / github / bitbucket then you might not have noticed this change as it probably didn’t affect you. If you are mirroring your own packages however this may become an issue for you.

Ultimately I feel this was a good idea and I’m happy to see composer pushing secure practices forward. With the arrival of Let’s Encrypt, offering free signed certificates, it’s hard to find a valid reason not to keep your own mirrors secure. If this change caught you by surprise though, and you are currently relying on http, you can disable either per project by running:

Disable per project

1

composer config secure-http false

From your project directory, or globally by running:

Disable globally

1

composer config secure-http false--global

I’d highly recommend switching over to https as soon as possible though. Once you have, don’t forget to re-enable the check to ensure you maintain this standard going forward.